LAS VEGAS — Black Hat USA — A Transportation Safety Administration (TSA) system at airport security checkpoints contains default backdoor passwords, and one of the devices running at the San Francisco Airport was sitting on the public Internet.
Renowned security researcher Billy Rios, who is director of threat intelligence at Qualys, Wednesday here at Black Hat USA gave details on security weaknesses he discovered in both the Morpho Detection Itemiser 3 trace-explosives and residue detection system, and the Kronos 4500 time clock system used by TSA agents to clock in and out with their fingerprints, which could allow an attacker to easily gain user access to the devices.
Device vendors embed hardcoded passwords for their own maintenance or other technical support.
Rios found some 6,000 Kronos time clock systems open on the public Internet, two of which belonged to US airports. The time clock system at San Francisco International Airport has since be taken offline from the Internet, he says. Rios declined to identify the location of the other one, which he says remains online.
Why would the internal time clock system for the TSA or other organizations be connected to the Internet? "Is it online by default? I don't know. Kronos can be connected to multiple networks," Rios told Dark Reading in an interview last week.
Rios has been investigating TSA systems over the past few months. In February, he and fellow researcher Terry McCorkle revealed that a widely deployed carry-on baggage scanner used in most airports could be easily manipulated by a malicious TSA inside or outside attacker to sneak weapons or other banned items past the TSA checkpoint. The Rapiscan 422 B X-ray system running at many airports was found to have several blatant security holes, including storing user credentials in plain text and a feature that could easily be abused to project phony images on the X-ray display.
Rapiscan's baggage scanners remain in most airports, although its contract with TSA is now defunct after TSA learned that the X-ray machines contain a light bulb that was manufactured by a Chinese company. TSA systems cannot include foreign-made parts.
[Researchers reveal weak security that could allow malicious insiders or attackers to spoof the contents of carry-on baggage. Read TSA Carry-On Baggage Scanners Easy To Hack.]
Meanwhile, the Kronos time clock system sitting on the public Internet could give an attacker access to the airports' local TSA network, Rios says. The Kronos system contained two different hardcoded backdoor passwords that cannot be changed by the user, only by the vendor.
Rios says the Itemiser he tested also came with a backdoor password. Exploiting that, he was able to alter the configuration of the Itemiser system, which could allow an attacker to prevent the system from detecting explosive residue, for example.
"Once you have access to the software, it's game over," he says.
But a spokesman for Morpho Detection, a Safran company, at a press briefing here today said the TSA does not run the vulnerable Itemiser 3 that Rios tested, but rather the newer Itemiser DX, which it says is not vulnerable to the authentication flaw. In a statement, Morpho president and CEO at Morpho Detection said the company plans to release a software update to the Itemiser 3 -- which has was actually discontinued in 2010 -- by the end of the year.
Rios maintains that the Morpho devices still could be compromised because they appear to have "rolling password" features that would allow a backdoor password scenario.
The ICS-CERT issued an advisory about the Itemiser flaw on July 24.
Default or hardcoded passwords are a systemic problem in many so-called embedded devices, Rios says. "All it takes is one person to figure it [the password] out, and the entire device is compromised."
The big problem with such devices is there's little visibility into them, so an organization whose device gets compromised may not even know or realize it, Rios says. "They may not even know, because they don't have the tools or expertise to understand it."
In addition, hacking one of these devices is fairly simple, especially when the devices contain backdoor, hardcoded passwords. "There's a low bar required for compromising them. Anyone who kind of understands embedded devices can" compromise them.
But it's not all doom and gloom: Rios says there are ways to prevent exposing critical operations like the TSA's checkpoint from being vulnerable to cyber attack. "I see hospitals now building in security requirements into their acquisition process. That's what I would like to see TSA do. Look before you accept a product, and look for a backdoor password without relying on the goodwill of vendors" to change the password.